You can change an account's Yubikey knowing only its password

[AdamWill]

I bought a new Yubikey 5 I'm going to replacing my existing Yubikey 3s with. So I used fedora-burn-yubikey to configure it on my FAS account.

To my surprise, this did not ask me to enter a code from my current Yubikey at any point. All I needed to successfully set up the new Yubikey was my account password.

Doesn't this more or less entirely obviate the point of using Yubikeys at all? If I know another FAS user's password, all I need to then be able to "two-factor" authenticate as them is a spare Yubikey. Even if they already have one registered on their account, I can simply replace it.

[AdamWill]

I guess to put it in slightly more specific terms, I'm surprised that this call in fedora-burn-yubikey:

fas = AccountSystem(username=opts.username, password=password, base_url=opts.url)
try:
    new_key = fas.send_request('yubikey/genkey', auth=True)

works for an account with an existing Yubikey registered without requiring any further authentication.

[puiterwijk]

This is working as expected, and yes, this is really silly. Given that an entire rework is in progress, this will probably not get resolved in this version, and will have to be fixed in the rewrite.

@fedora-infra/authdev

[AdamWill]

is there an appropriate repo to file an issue for the new project? i'd feel happier having it tracked. the team link above is a 404...

[cverna]

@AdamWill you can add an issue here --> https://github.com/fedora-infra/fas-ng

[AdamWill]

Thanks! Done (for the record).